安装前服务器的配置：

先确定服务器的hostname为正确的FQDN格式。不带“.”的hostname是错误的。

执行:

hostname -i

输出的内容应该是你服务器的IP(使用NAT网络，输出的是内网IP)，否则请执行：

echo "服务器IP $(hostname -A)" >> /etc/hosts

Building from Source

If your operating system has support for a package manager such as .deb or .rpm file format, we recommend that you follow the instructions in the next section instead:

Don't forget to read supplied documentation first, including the configuration files. As with many free software projects, FreeRADIUS could use more documentation. Until such documentation is available, the only place that configuration items are documented is in the configuration files themselves.

If you have problems when trying to run FreeRADIUS, and you see error messages like:

rlm_sql: Could not link driver rlm_sql_mysql: file not found

Then the shared libraries on your system are misconfigured.

Starting the Server

Once it has been installed, the first thing to do is change as little as possible. The default configuration is designed to work everywhere, and to perform nearly every authentication method.

Do not edit the default configuration files until you understand what they do. This means reading the documentation contained in the comments of the configuration files.

Many common configurations are documented as suggestions or examples in the configuration files. Many common problems are discussed in the configuration files, along with suggested solutions.

We recommend reading the configuration files, in large part because most of the configuration items are documented only in the comments in the configuration files.

When the server has been installed on a new machine, the first step is to start it in debugging mode, as user root:

This step demonstrates that the server is installed and configured properly. If you have installed Version 2 from source, this step will also create the default certificates used for EAP authentication.

Initial Tests

Testing authentication is simple. Edit the users file, and add the following line of text at the top, before anything else:

testing Cleartext-Password := "password"

Start the server in debugging mode (radiusd -X), and run radtest from another terminal window:

You should see the server respond with an Access-Accept. If it doesn't, the debug log will show why. Paste the output into the debug form, and a colorized HTML version will be produced. Look for red or yellow text, and read the messages.

If you do see an Access-Accept, then congratulations, the following authentication methods now work for the testing user:

PAP, CHAP, MS-CHAPv1, MS-CHAPv2, PEAP, EAP-TTLS, EAP-GTC, EAP-MD5.

The next step is to add more users, and to configure databases. Those steps are outside of the scope of this short web page, but the general method to use is important, and is outlined in the next section.

The following steps outline the best known method for configuring the server. Following them lets you create complex configurations with a minimm of effort. Failure to follow them leads to days of frustration and wasted effort.

2. 修改配置文件/etc/freeradius/radiusd.conf，把allow_vulnerable_openssl = no改为allow_vulnerable_openssl = yes

Configuring the Server

$ntpdate 10.16.250.11

$clock –w

$clock –r

$hwclock --show

NEW INSTALLATIONS OF FREERADIUS

  We suggest that new installations use the test certificates for initial tests, and then create real certificates to use for normal user authentication.  See the instructions below for how to create the various certificates.  The old test certificates can be deleted by running the following command:

$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*

  Then, follow the instructions below for creating real certificates. Once the final certificates have been created, you can delete the "bootstrap" command from this directory, and delete the "make_cert_command" configuration from the "tls" sub-section of eap.conf. If you do not want to enable EAP-TLS, PEAP, or EAP-TTLS, then delete the relevant sub-sections from the "eap.conf" file.

MAKING A ROOT CERTIFICATE

$ find . -type f -exec touch {} \;

$ vi ca.cnf

  Edit the "input_password" and "output_password" fields to be the

  password for the CA certificate.

  Edit the [certificate_authority] section to have the correct values

  for your country, state, etc.

$ make ca.pem

  This step creates the CA certificate.

$ make ca.der

  This step creates the DER format of the self-signed certificate,

  which is can be imported into Windows.

 MAKING A SERVER CERTIFICATE

$ vi server.cnf

  Edit the "input_password" and "output_password" fields to be the

  password for the server certificate.

  Edit the [server] section to have the correct values for your

  country, state, etc.  Be sure that the commonName field here is

  different from the commonName for the CA certificate.

EXAMPLE:

$vim /etc/raddb/certs/server.cnf

[ req ]

prompt                  = no

distinguished_name      = certificate_authority

default_bits            = 2048

input_password          = 11111111a

output_password         = 11111111a

x509_extensions         = v3_ca

[server]

countryName             = CN

stateOrProvinceName     = Shanghai

localityName            = Jiading

organizationName        = UCstack Inc.

emailAddress            = jacky.sun@ucstack.com

commonName              = "UC Certificate Authority"

$ make server.pem

  This step creates the server certificate.

  If you have an existing certificate authority, and wish to create a

  certificate signing request for the server certificate, edit

  server.cnf as above, and type the following command.

$ make server.csr

  You will have to ensure that the certificate contains the XP

  extensions needed by Microsoft clients.

MAKING A CLIENT CERTIFICATE

  Client certificates are used by EAP-TLS, and optionally by EAP-TTLS

and PEAP.  The following steps outline how to create a client

certificate that is signed by the server certificate created above.

You will have to have the password for the server certificate in the

"input_password" and "output_password" fields of the server.cnf file.

$ vi client.cnf

  Edit the "input_password" and "output_password" fields to be the

  password for the client certificate.  You will have to give these

  passwords to the end user who will be using the certificates.

  Edit the [client] section to have the correct values for your

  country, state, etc.  Be sure that the commonName field here is

  the User-Name that will be used for logins!

EXAMPLE:

$vim /etc/raddb/certs/client.cnf

[ req ]

prompt                  = no

distinguished_name      = client

default_bits            = 2048

input_password          = 11111111a

output_password         = 11111111a

[client]

countryName             = CN

stateOrProvinceName     = Shanghai

localityName            = Jiading

organizationName        = UCstack Inc.

emailAddress            = jacky.sun@ucstack.com

commonName              = jacky.sun@ucstack.com

$ make client.pem

  The users certificate will be in "emailAddress.pem",

  i.e. “Jacky.sun@ucstack.com“.

  To create another client certificate, just repeat the steps for

  making a client certificate, being sure to enter a different login

  name for "commonName", and a different password.

$vim /etc/raddb/eap.conf

private_key_password = 11111111a

EAP Testing

While FreeRADIUS comes with a command-line tool called radeapclient, by far and away the best EAP testing tool is the eapol_test program from wpa_supplicant.

The default build of wpa_supplicant does not build the eapol_test program, so you will have to do that yourself.

Building eapol_test

Download the latest version of wpa_supplicant, and un-tar it, then follow these instructions to build it:

$ cd wpa_supplicant-version

$ cp defconfig .config

$ vi .config

Find the line containing

#CONFIG_EAPOL_TEST=y

and change it to

CONFIG_EAPOL_TEST=y

Then, type

$ make eapol_test

Once it is done, copy the file to some where in your PATH. e.g. /usr/local/bin, or ~/bin. The following tests assume that the eapol_test file has been installed, such as via the following command:

$ cp eapol_test /usr/local/bin

Testing

Run the eapol_test program from the command-line, with one of the following configuration files.

$ eapol_test -c file -s testing123

Where file is one of the configuration files below. We are also assuming that the RADIUS server is on localhost, and that the shared secret is testing123.

Example:

vim ttls-pap.conf

#

#   eapol_test -c ttls-pap.conf -s testing123

#

network={

        ssid="example"

        key_mgmt=WPA-EAP

        eap=TTLS

        identity="bob"

        anonymous_identity="anonymous"

        password="hello"

        phase2="auth=PAP"

        #

        #  Uncomment the following to perform server certificate validation.

#       ca_cert="/etc/raddb/certs/ca.der"

}

$ eapol_test -c ttls-pap.conf -s testing123

These configuration files assume that you are using the test user bob, with password hello, as given in the PAP howto.

If the production certificates have been created, then the ca_cert entry in each configuration file can be un-commented. The eapol_test program will then verify the server certificate.

PERFORMANCE

  EAP performance for EAP-TLS, TTLS, and PEAP is dominated by SSL

  calculations.  That is, a normal system can handle PAP

  authentication at a rate of 10k packets/s.  However, SSL involves

  RSA calculations, which are very expensive.  To benchmark your system,

  do:

$ openssl speed rsa

  or

$ openssl speed rsa2048

  to test 2048 bit keys.

  A 1GHz system will likely do 30 calculations/s.  A 2Ghz system may

  do 50 calculations/s, or more.  That number is also the number of

  authentications/s that can be done for EAP-TLS (or TTLS, or PEAP).

guide/SQL HOWTO

FreeRADIUS Server works out of the box with a large list of SQL servers

Unfortunately there are a number of configuration guides available on the internet that are either for very old versions of FreeRADIUS Server, or are wrong, or both. This article will attempt to correct some of the misinformation. These instructions were originally written for FreeRADIUS Server version 1.1.x and had been tested on openSUSE 10.2, CentOS 5.0 and CentOS 5.1.

Before You Start

Before starting with FreeRADIUS, please make sure your server is up and configured on your network, that you have your SQL server of choice (MySQL, Postgresql etc) installed and running, and that your NAS is configured to send RADIUS requests to your RADIUS server.

We have some sample configs for Cisco NAS available here.

Basic configuration

See Basic configuration HOWTO

Setting up the RADIUS database

First, you should create a new empty 'radius' database in SQL and a database user with permissions to that database. You could of course call the database and the user anything you like but you probably should stick with 'radius' for both to keep things simple.

Next up, you need to create the schema for your database. There is an SQL script file for each SQL type in doc/examples/ in your operating system's doc directory (or where you untar'd FreeRADIUS). On SUSE this is under /usr/share/doc/packages/freeradius/

    ?    Create MySQL Database

 mysql -uroot -p

   CREATE DATABASE radius;

   GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";

   exit

Note: use a more secure password than "radpass" in the above example

cd /usr/share/doc/packages/freeradius/doc/examples/ *(Sorry, I can't find this directory in my centOS + freeradius 2.1.10)

 mysql -uroot -p radius < mysql.sql

Note: CentOS/RHEL Schema Files Location: /etc/raddb/sql/mysql/schema.sql

Note: Ubuntu Schema Files Location: Ubuntu schema files are not called mysql.sql, but schema.sql. The location is: /etc/freeradius/sql/mysql/

 mysql -u root -p11111111a radius < /etc/radius/sql/mysql/schema.sql

You might to additionally create this table if you're managing your NASses with FreeRadius:

 mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql

    ?    Create PostgreSQL Database (optional)

 su - postgres

 createuser radius --no-superuser --no-createdb --no-createrole -P

 createdb radius --owner=radius

 exit

Note: choose a secure password when prompted for one by the createuser command.

 cd /usr/share/doc/packages/freeradius/doc/examples/

 psql -U radius radius < postgresql.sql

Configuring FreeRadius to use SQL

Edit either /etc/raddb/sql.conf or /etc/raddb/postgresql.conf and enter the server, name and password details to connect to your SQL server and the RADIUS database. The database and table names should be left at the defaults if you used the default schema. For testing/debug purposes, switch on sqltrace if you wish - FreeRadius will dump all SQL commands to the debug output with this on.

In /etc/raddb/radiusd.conf ensure that the line saying:

$INCLUDE  sql.conf

is uncommented.

You will also need to edit /etc/raddb/sql.conf, and direct it to the appropriate database (PostgreSQL, MySQL, etc.), by edit the line:

 database = “mysql"

with the name of the database that you are using.

If you're stripping all realm names (i.e. you want user joe@domain.com to authenticate as just 'joe'), then in file raddb/sql/database/dialup.conf , under the 'query config: username' section, you MAY need to adjust the line(s) referring to sql_user_name. I needed to do this originally because we want to dump all realms, but you probably won't need to do this with the latest FreeRadius. For example, in our case I needed to uncomment the line:

  sql_user_name = '%{Stripped-User-Name}'

..and comment out the following line referring to just User-Name. If you want to see what's happening here, switch on all the logging options in radiusd.conf and run radiusd in debug mode (-X) to see what's happening : you'll see " user@domain" being passed to SQL when using User-Name, but just "user" when using Stripped-User-Name. Using the latter, realms worked for me (basically, I strip everything, as all user names are unique on the server anyway). Of course, set all your other SQL options as needed (database login details, etc)

Edit /etc/raddb/sites-available/default and uncomment the line containing 'sql' in the authorize{} section. The best place to put it is just after the 'files' entry. Indeed, if you'll just be using SQL, and not falling back to text files, you could comment out or delete the 'files' entry altogether.

Additionally, edit /etc/raddb/sites-available/inner-tunnel and uncomment the line containing 'sql' under "authorize {}". See below.

Also uncomment the line saying 'sql' in the accounting{} section to tell FreeRADIUS to store accounting records in SQL as well.

Optionally add or uncomment 'sql' to the session{} section if you want to do Simultaneous-Use detection.

Optionally add or uncomment 'sql' to the post-auth{} section if you want to log all Authentication attempts to SQL.

You should not change/delete any other lines in the config file without reading and understanding the comments!

Your radiusd.conf should then look something like this:

Populating SQL

You should now created some dummy data in the database to test against. It goes something like this:

    ?    In usergroup, put entries matching a user account name to a group name.

    ?    In radcheck, put an entry for each user account name with a 'Cleartext-Password' attribute with a value of their password.

    ?    In radreply, create entries for each user-specific radius reply attribute against their username

    ?    In radgroupreply, create attributes to be returned to all group members

Here's a dump of some example 'radius' tables from a MySQL database (With PostgreSQL the formating will look slightly different but it uses exactly the same content).

This example includes three users, one with a dynamically assigned IP by the NAS (fredf), one assigned a static IP (barney), and one representing a dial-up routed connection (dialrouter):

You should now created some dummy data in the database to test against. It goes something like this:

    ?    In usergroup, put entries matching a user account name to a group name.

    ?    In radcheck, put an entry for each user account name with a 'Cleartext-Password' attribute with a value of their password.

    ?    In radreply, create entries for each user-specific radius reply attribute against their username

    ?    In radgroupreply, create attributes to be returned to all group members

Here's a dump of some example 'radius' tables from a MySQL database (With PostgreSQL the formating will look slightly different but it uses exactly the same content).

This example includes three users, one with a dynamically assigned IP by the NAS (fredf), one assigned a static IP (barney), and one representing a dial-up routed connection (dialrouter):